vLLM is an inference and serving engine for large language models (LLMs). From versions 0.10.2 to before 0.11.1, a memory corruption vulnerability could lead to a crash (denial-of-service) and potentially remote code execution (RCE), exists in the Completions API endpoint. When processing user-supplied prompt embeddings, the endpoint loads serialized tensors using torch.load() without sufficient validation. Due to a change introduced in PyTorch 2.8.0, sparse tensor integrity checks are disabled by default. As a result, maliciously crafted tensors can bypass internal bounds checks and trigger an out-of-bounds memory write during the call to to_dense(). This memory corruption can crash vLLM and potentially lead to code execution on the server hosting vLLM. This issue has been patched in version 0.11.1.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62164.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-123",
"CWE-20",
"CWE-502",
"CWE-787"
]
}{
"source": [
"CPE_RANGE",
"CPE_STRING",
"REFERENCES"
],
"cpe": [
"cpe:2.3:a:vllm:vllm:*:*:*:*:*:*:*:*",
"cpe:2.3:a:vllm:vllm:0.11.1:rc0:*:*:*:*:*:*",
"cpe:2.3:a:vllm:vllm:0.11.1:rc1:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "0.10.2"
},
{
"fixed": "0.11.1"
},
{
"introduced": "0.11.1-rc0"
},
{
"last_affected": "0.11.1-rc0"
},
{
"introduced": "0.11.1-rc1"
},
{
"last_affected": "0.11.1-rc1"
}
]
}